F Configure event notifications on S3 buckets for PUT POST and DELETE events

F configure event notifications on s3 buckets for put

This preview shows page 38 - 40 out of 49 pages.

F. Configure event notifications on S3 buckets for PUT; POST, and DELETE events. QUESTION 119 A company plans to migrate a sensitive dataset to Amazon S3. A Security Engineer must ensure that the data is encrypted at rest. The encryption solution must enable the company to generate its own keys without needing to manage key storage or the encryption process. What should the Security Engineer use to accomplish this? A. Server-side encryption with Amazon S3-managed keys (SSE-S3) B. Server-side encryption with AWS KMS-managed keys (SSE-KMS) C. Server-side encryption with customer-provided keys (SSE-C) D. Client-side encryption with an AWS KMS-managed CMK QUESTION 120 A Security Engineer is defining the logging solution for a newly developed product. Systems Administrators and Developers need to have appropriate access to event log files in AWS CloudTrail to support and troubleshoot the product. Which combination of controls should be used to protect against tampering with and unauthorized access to log files? (Choose two.) A. Ensure that the log file integrity validation mechanism is enabled. B. Ensure that all log files are written to at least two separate Amazon S3 buckets in the same account. C. Ensure that Systems Administrators and Developers can edit log files, but prevent any other access. D. Ensure that Systems Administrators and Developers with job-related need-to-know requirements only
Image of page 38
are capable of viewing—but not modifying—the log files. E. Ensure that all log files are stored on Amazon EC2 instances that allow SSH access from the internal corporate network only. QUESTION 121 A company has a few dozen application servers in private subnets behind an Elastic Load Balancer (ELB) in an AWS Auto Scaling group. The application is accessed from the web over HTTPS. The data must always be encrypted in transit. The Security Engineer is worried about potential key exposure due to vulnerabilities in the application software. Which approach will meet these requirements while protecting the external certificate during a breach? A. Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances. B. Purchase an external certificate, and upload it to the AWS Certificate Manager (for use with the ELB) and to the instances. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate. C. Generate an internal self-signed certificate and apply it to the instances. Use AWS Certificate Manager to generate a new external certificate for the ELB. Have the ELB decrypt traffic, and route and re- encrypt with the internal certificate. D. Upload a new external certificate to the load balancer. Have the ELB decrypt the traffic and forward it on port 80 to the instances. QUESTION 122 Which of the following are valid event sources that are associated with web access control lists that trigger AWS WAF rules? (Choose two.) A. Amazon S3 static web hosting B. Amazon CloudFront distribution C. Application Load Balancer D. Amazon Route 53 E. VPC Flow Logs QUESTION 123
Image of page 39
Image of page 40

You've reached the end of your free preview.

Want to read all 49 pages?

  • Fall '19
  • AWS, Amazon Elastic Compute Cloud

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture